Cyber researchers sound alarm over a 15-year-old Linux kernel flaw – 'GhostLock' could let hackers seize unpatched machines in just five seconds
Researchers at Nebula said the GhostLock exploit is 97% reliable and can escape containers
Researchers at Nebula Security have discovered a Linux kernel flaw dating back to 2011 that lets any logged-in user take full root control of an unpatched machine in just five seconds.
Dubbed GhostLock (CVE-2026-43499), it was introduced in Linux 2.6.39 and fixed in Linux 7.1.
The flaw allows an unprivileged local attacker to get a dangling kernel pointer to kernel stack memory with only regular threading syscalls, write a pointer to an arbitrary address, and hijack a function table to get root access.
GhostLock has been shipped by default in every mainstream distribution since 2011, and requires no special privileges or network access. Nebula, which uncovered the flaw, said its exploit is reportedly 97% reliable and can also escape containers.
This particular flaw is the second part of an attack chain dubbed IonStack, with the first step being CVE-2026-10702, a vulnerability in Firefox that allows code execution within the browser and escapes its sandbox.
The vulnerability is rated high (7.8) as the attacker would already need to have local access to the system.
How the GhostLock flaw works
Nebula researchers said the root cause is a function reused by a caller it was never written for: the helper function remove_waiter(). During certain futex operations, it incorrectly clears a pointer associated with the currently executing task, rather than the actual waiting task.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
This leaves the kernel with a dangling pointer that points to a memory location that has already been freed and reused. This allowed the Nebula team to gain full control, tricking the kernel into running their own code as the root user.
Daniel Bechenea, security manager at Pentest Tools, said the flaw is of particular concern because kernel exploits have historically carried a “real operational cost for attackers”.
“An unreliable one crashes the box and burns the access,” he explained. “An exploit that Nebula reports as 97% reliable, with public code anyone can run, changes that math.”
"As GhostLock uses a kernel vulnerability, containers also represent a juicy target for attackers as the exploit escapes the container and obtains code execution as root on the host OS, meaning that: containerised workloads that teams treat as isolated become stepping stones to the host and everything else scheduled on it."
Patch now
Systems running older kernels remain vulnerable to exploitation, according to Nebula. Researchers urged users and administrators to update to patched kernel versions as soon as possible.
"On an unpatched host, treat any code execution as root, and plan containment accordingly," advised Bechenea.
"Prioritize the systems that run untrusted or semi-trusted code by design: CI runners, container platforms, shared development machines, multi-tenant hosts, and verify the fixed kernel package version on each system rather than trusting that the April fix propagated, because with several major LTS releases still lagging in early July, attackers who land a foothold will check your kernel version even if you haven’t."
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Flaws in some of the most popular AI coding tools left developers wide open to attackNews Malicious repositories can trick advanced AI agents into silently breaking out of their workspace sandboxes
-
The memory shortage is hitting PC sales hard, but vendor revenues are still growingNews AI-driven component shortages are hurting PC sales, but device vendors are recording solid revenue growth
-
Alert issued over critical vulnerabilities in Linux’s AppArmor security layer – more than 12 million enterprise systems are at risk of root accessNews Researchers have warned Linux flaws allow unprivileged local users to gain root privileges and weaken container isolation
-
Best server distrosBest We've evaluated the best server distros around to help you and your business make the best choice for your OS
-
"We got lucky": What the XZ Utils backdoor says about the strength and insecurities of open sourceAnalysis The XZ Utils backdoor could’ve caused serious problems for Linux, but luckily a developer spotted the malicious code and prevented disaster
-
Linux just hit an all-time high share of the global desktop market — and surging popularity in India is driving uptake of the open source operating systemNews Linux is still dwarfed by operating systems such as Windows, but it’s making modest gains off the back of growing popularity in emerging markets
-
Windows is getting its own Sudo command, just like Linux - here’s what you need to know and how you can use itNews The Sudo for Windows command feature might make life a little easier for administrators - so long as they are aware of the potential security risks
-
Linux Blue Screen of Death gives users a taste of the dreaded Windows featureNews The Linux Blue Screen of Death has been added in a recent update
-
Five things to consider when switching to Linux MintIn-depth A guide to what you'll need to think about if you switch your old laptops to Linux Mint
-
How to run graphical Linux applications in WindowsIn-depth Why limit yourself to one software library? ITPro finds out how to run Linux software natively on Windows